如何保护 .htaccess 的 php 文件不被 php5 崩溃下载
昨晚我对我的网络服务器进行了一些管理更改。我用的是php.更新后 php 处理器出现故障,如果有人访问我的主页,php 页面只会下载并向任何访问者显示专有代码和密码。所以我想知道是否有一种方法可以防止使用 .htaccess 以任何形式下载 php 文件,但仍然允许正常查看文件。
Last night I made some admin changes to my webserver. I use php. The php processor failed after the update and if someone went to my homepage, the php page would simply download and show the proprietary code and password to anyone visiting. So I was wondering if there is a way to prevent any form of download for php files using .htaccess -- but still allow for normal viewing of the files.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
开发过程中要遵循的一个好模式是使用最小的初始化文件,该文件调用驻留在 Webroot 之外的实际应用程序。这样,在这种情况下,只会暴露没有关键信息的最小存根。
简化示例:
A good pattern to follow during development is to use a minimal initialization file, which invokes the actual application which resides outside the webroot. That way only a minimal stub with no critical information is exposed in a case like this.
Simplified example:
这里的问题是 .htaccess 要么向用户提供文件,要么不提供。您不能告诉它拒绝访问
.php文件,因为这样在正常使用期间访问也会被拒绝。对于 PHP 处理器未正确运行而言,没有后备行为。在做这样的大事时,也许值得暂时将网络根目录移动到“正在维护”的网站,以尽可能降低风险。
The trouble here is that either .htaccess is serving your files to the user or it's not. You can't tell it to deny access to the
.phpfiles, because then access will be denied during normal use, as well. There is no fallback behavior for the PHP processor simply not running correctly.Maybe it's worth temporarily moving the web root to point to an "under maintenance" site when doing big things like that, to minimize risk as much as possible.
假设您使用的是 Apache,您的 .htaccess 文件将如下所示。
第一条规则拒绝访问所有 .php 文件。默认情况下,用户将看到 403(禁止)错误。
如果 PHP5 模块成功加载,第二条规则将生效,授予访问权限。
Assuming you're using Apache, your .htaccess file would look something like this.
The first rule denies access to all .php files. By default, the user will see a 403 (Forbidden) error.
If the PHP5 module successfully loads, the second rule will take affect, which grants access.